What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a MedusaLocker attack can make a huge difference and help you make a full recovery. Request 24/7 MedusaLocker ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

MedusaLocker ransomware statistics & facts

MedusaLocker decryptor
MedusaLocker IOCs
MedusaLocker attack vectors
Case outcomes
How to remove MedusaLocker ransomware?
How to recover from MedusaLocker ransomware?
Ransom amounts
MedusaLocker decryptor

A public decryptor exists for some older MedusaLocker variants (v1 and early v2), but no decryptor exists for current versions (v3+). Check Emsisoft or No More Ransom websites to verify if your variant has a public decryptor before paying any ransom.

MedusaLocker IOCs

Indicators are identified through RDP logs, Windows Event Log entries, ransom note patterns, file extension analysis, and dark web leak site monitoring.

File extensions
.deadfiles, .readinstructions, .lockfiles, .encrypted, .medusa, or sometimes random 4-8 character extensions (varies per incident)

Ransom note filenames
How_to_back_files.html, How_To_Restore_FILES.html, README.txt, RESTORE_YOUR_FILES.txt (varies per variant and affiliate)

MedusaLocker hashes
SHA256 hashes vary across samples and versions; representative MedusaLocker binaries from v1, v2, and v3 variants have been analyzed by Bleeping Computer, Kaspersky, and Emsisoft. No single hash signature represents all variants. Binaries are compiled with different parameters per affiliate deployment, making hash-based detection unreliable.

MedusaLocker tools
– Initial access: RDP brute-force attacks, phishing emails with malicious attachments (historical)
– Credential dumping: Mimikatz, procdump, hashdump, credential manager extraction
– Lateral movement: PsExec, WinRM, Kerberoasting, pass-the-hash attacks
– Persistence: Scheduled tasks, registry run keys, WMI event subscriptions, rogue local accounts
– Data exfiltration: FileZilla, WinRAR, Rclone, or custom exfiltration scripts
– Encryption: MedusaLocker ransomware binary deploying AES-256 + RSA-2048
– Defense evasion: Disabling Windows Defender, deleting shadow copies (vssadmin), clearing event logs

Most common red flag
RDP brute-force login attempts followed by successful administrative RDP session, followed within hours by powershell.exe execution with commands to disable Windows Defender and delete shadow copies: `vssadmin delete shadows /all /quiet`.

MedusaLocker attack vectors

Attack vector

% of MedusaLocker incidents

Notes

RDP brute-force with weak passwords

65%

Exposed port 3389 with weak or default credentials

Phishing emails with malicious attachments

20%

Macro-enabled documents or direct executable attachments (historical, less common 2024)

Compromised RDP credentials from data breaches

10%

Credentials obtained from previous breaches or dark web credential dumps

Unpatched RDP vulnerability exploitation

5%

Legacy CVEs in Windows RDP or RDP gateway software

Powered By WP Table Builder
Case outcomes

MedusaLocker victims typically experience 1–3 week campaigns from initial RDP compromise to ransom demand. Organizations with poor network segmentation report encryption spreading to all accessible systems within 24–48 hours. Negotiation phases typically last 1–3 weeks, with ransom demands ranging from $30,000 (small organizations) to $1,000,000+ (large enterprises). One documented healthcare victim paid $250,000 to recover patient records within 48 hours of encryption. Education sector victims report average ransom payments of $80,000–$150,000. Law enforcement (FBI, HHS) has published warnings on MedusaLocker targeting healthcare organizations.

How to remove MedusaLocker ransomware?

1. Immediately block or disable RDP access from the internet—restrict RDP to internal networks only via VPN.
2. Force logout all active RDP sessions; change all RDP account passwords using a clean, air-gapped machine.
3. Isolate all infected systems from the network and boot into safe mode.
4. Scan with updated antivirus/EDR tools to locate and remove the MedusaLocker binary.
5. Remove any secondary persistence mechanisms (scheduled tasks, registry run keys, WMI event subscriptions).
6. Restore system registry hives from backup if attackers modified them (System, SAM, Security).
7. Check Event Viewer for evidence of other administrative account creation or lateral movement attempts.
8. Rebuild systems from clean images rather than attempting file-by-file removal.

How to recover from MedusaLocker ransomware?

1. Restore encrypted files from clean backups created before the RDP compromise (test in isolated environment first).
2. Check No More Ransom or Emsisoft websites to confirm whether your MedusaLocker variant has a public decryptor.
3. If no backups or public decryptor exist, decrypt using the MedusaLocker decryption key (if obtained via ransom payment or law enforcement recovery).
4. Validate all restored files through integrity checks and application-level testing.
5. Implement network segmentation isolating critical systems from general networks.
6. Deploy EDR solutions on all systems to detect future intrusion attempts.
7. Implement continuous incremental backups with immutable storage.
8. Force password resets and implement multi-factor authentication on all critical accounts.

Ransom amounts

MedusaLocker operators typically demand $30,000–$1,000,000+ depending on organization size, sector, and data sensitivity. Healthcare organizations report average demands of $200,000–$500,000; education sector victims report $80,000–$250,000; smaller organizations report $30,000–$100,000. Negotiation typically reduces initial demands by 30–50%. Payment is demanded in cryptocurrency (Bitcoin or Monero).

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is MedusaLocker ransomware?

MedusaLocker is a ransomware-as-a-service operation that emerged in September 2019 and primarily targets healthcare, education, and government organizations. The group initially relied on phishing emails with malicious attachments as the primary attack vector. However, in 2022, the group shifted strategy to exploit exposed RDP services with weak passwords, making RDP brute-force attacks the dominant initial access method. MedusaLocker encrypts files using AES-256 symmetric encryption paired with RSA-2048 public-key encryption, employs a RaaS model recruiting affiliates to conduct initial access and lateral movement, and operates double extortion by exfiltrating data before encryption.

Where is MedusaLocker gang located?

Operational patterns suggest MedusaLocker operators are based in Eastern Europe or the CIS region. The group’s focus on English-language ransom notes and healthcare-targeting suggests possible Russian or Ukrainian origin. No definitive geolocation has been published by threat intelligence firms.

How does MedusaLocker ransomware work?

MedusaLocker attacks begin with RDP service scanning and brute-force password attacks against common usernames (administrator, guest) using weak password dictionaries. Once an RDP account is compromised, attackers connect to the network and conduct lateral movement using stolen credentials, Mimikatz for credential dumping, and tools like PsExec for command execution. Attackers identify and exfiltrate sensitive data (patient records, financial data, personal information) using tools like FileZilla or Rclone. Finally, the MedusaLocker ransomware binary is deployed across the network to encrypt all accessible files. Ransom notes (How_to_back_files.html) are dropped in user directories.

How long do MedusaLocker attacks last?

From initial RDP brute-force compromise to encryption and ransom demand, MedusaLocker attacks typically span 1–3 weeks. RDP compromise to credential dumping may take 1–5 days; lateral movement and data exfiltration occupy 5–15 days; encryption deployment occurs within final 24–48 hours.

Can MedusaLocker ransomware be deleted or decrypted?

MedusaLocker-encrypted files cannot be decrypted without the RSA-2048 private key held by operators. Older variants (v1 and early v2) have public decryptors available from Emsisoft or No More Ransom—check these websites before paying any ransom. Current variants (v3+) have no public decryptor. Deletion of the malware stops further encryption but does not recover encrypted files.

What happens when infected?

When MedusaLocker infects your network via RDP compromise, files are encrypted with various extensions (.deadfiles, .readinstructions, .lockfiles, etc.) and become inaccessible. You discover the compromise when users report inability to access files and systems become unresponsive. Ransom notes (How_to_back_files.html) appear on all infected systems, directing you to access a Tor website with a unique victim ID to negotiate. Additionally, a ransom note appears on the dark web leak site, threatening to publish exfiltrated data if you do not pay within 3–7 days.

How can it be prevented?

Prevent MedusaLocker attacks by: (1) disabling or restricting RDP access from the internet—expose RDP only via VPN with MFA; (2) enforcing strong, unique passwords (minimum 16 characters) on all RDP accounts; (3) implementing multi-factor authentication on all RDP and VPN access; (4) monitoring RDP login logs for brute-force attempts and failed logins; (5) implementing network segmentation isolating critical systems from general corporate networks; (6) deploying EDR solutions with behavioral detection for credential dumping and lateral movement; (7) maintaining immutable, off-site backups; (8) disabling RDP on systems that do not require it; and (9) blocking RDP on non-standard ports if possible.

What is a ransomware prevention checklist?

– Disable RDP access from the internet entirely; expose RDP only via VPN
– Require multi-factor authentication on all RDP and VPN endpoints
– Enforce strong, unique passwords (minimum 16 characters) on all RDP accounts
– Monitor and alert on RDP login failures (brute-force attempts) and unusual successful logins
– Implement network segmentation isolating critical systems from general corporate networks
– Deploy EDR solutions with behavioral detection for credential dumping and lateral movement activity
– Create daily incremental backups with immutable (write-once) offline storage
– Test backup restoration monthly to ensure recovery capability
– Disable RDP on systems that do not require it
– Implement firewall rules restricting RDP access by source IP if possible
– Monitor for unusual PowerShell execution (particularly vssadmin delete shadows) and alert on shadow copy deletion
– Implement local admin password management (LAPS) to randomize and secure local account passwords
– Conduct quarterly vulnerability scans of all systems for unpatched RDP vulnerabilities

How does MedusaLocker differ from newer groups like Sarcoma and Cicada3301?

MedusaLocker is one of the longest-running ransomware operations (active since 2019) and represents the traditional encryption-based RaaS model. Newer groups like Sarcoma employ “Living Off the Land Remotely” tactics using legitimate RMM tools, while Cicada3301 specifically targets virtualized infrastructure (ESXi hypervisors). MedusaLocker’s RDP-focused approach is more of an “opportunistic” targeting strategy—the group scans broadly for exposed RDP services rather than conducting targeted reconnaissance. This makes MedusaLocker both easier to defend against (disable RDP) and more likely to impact smaller organizations with exposed remote access infrastructure.

Are there public decryptors for MedusaLocker?

Yes, for some older variants. Emsisoft released a free decryptor for MedusaLocker v1 and v2 variants, available at the No More Ransom project (nomoreransom.org). Check the website to see if your specific variant has a public decryptor before paying any ransom. However, no public decryptors exist for current MedusaLocker v3 variants, making air-gapped backups the only reliable recovery option for recent attacks.